CVE-2015-5321: Jenkins has Information Disclosure via Sidepanel Widget

May 13, 2022 (updated March 13, 2025)

The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages.

References

access.redhat.com/errata/RHSA-2016:0070
github.com/advisories/GHSA-4653-rmch-3g2g
github.com/jenkinsci/jenkins
github.com/jenkinsci/jenkins/commit/251bdb00ab3cf4435416f0a55fa3bccf7f58896a
github.com/jenkinsci/jenkins/commit/9e439d462c28fe1c96799c89709dc5d0cb8ab8fa
nvd.nist.gov/vuln/detail/CVE-2015-5321
wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11

Detect and mitigate CVE-2015-5321 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →